Enterprises can control user access to enterprise applications, such as web applications, by authenticating users via user credentials, such as a username and password. Enterprises may wish to provide a more secure environment by implementing two-factor authentication, which uses two or more authentication factors. The authentication factors include “something the user knows” (e.g., username, password, PIN, pattern), “something the user has” (e.g., a device, a computer, a mobile phone, a physical card, a smartcard, an authentication token), and “something the user is” (e.g., a biometric characteristic such as a fingerprint or a unique retina). When a user accesses a website that uses two-factor authentication, the website might request a username and password (“something the user knows”). The website can also detect or receive identification data from a device that correlates the user with the device (“something the user has”). The website can identify the device using a device tag.
In web services, such as in client-server configurations or cloud computing configurations, an end-user signing into a relying party (RP) website, encounters situations where the end-user no longer has access to the RP website, because, for example, the end-user has lost, misplaced or forgotten credentials needed to access the RP website. In response, the RP website may choose to challenge the end-user using static knowledge-based (KB) challenges, such as “What is your Mother's Maiden name?”, “What is your favorite book?”, “What was your childhood nickname?” or the like. These KB challenges are based on static knowledge that is usually based the end-user's information gathered by the RP website itself. These KB challenges are also site-centric KB challenges. These static, site-centric KB challenge techniques are prone to social engineering attacks. Social engineering, in the context of security, refers to the manipulation of end-users into performing actions or divulging confidential information, such as prextexing, diversion theft, phishing, or the like. That is, the attacker can gather this static knowledge to gain access when challenged by a RP website.